A CIO Blog with a twist; majority of my peer CIOs talk about the challenges they face with vendors, internal customers, Business folks and when things get through the airwaves, the typical response is "Oh I See". Some of you may disagree with my meanderings and that's okay. It's largely experiential and sometimes a lot of questions

Updated every Monday. Views are personal

Wednesday, May 24, 2017

A recent but fading cyber incident
exposed technology vulnerabilities that were always known and ticked off as
acceptable risk by almost every enterprise. It was all about deferring
necessary change with lower spends; for some it was about inability to change
because vendor or supplier or support provider did not offer an upgrade thus necessitating
a change which would have raised the budget. Unfortunately in this case the
risk materialized into a disaster of which the impact would take a long time to
understand.

It was unsurprising to see friend,
foe, acquaintance, partner, bystander, everyone shed differences and come
together to tackle the situation and problem; for many survival was at stake, for
others an opportunity to make a fast buck. Either way they flocked together commiserating
the unfortunate and talking about safety steps they took that fended off the
enemy. It did not matter if their good fortune was a result of their actions or
providence of their inaction or ignorant apathy, for now they were the heroes
and survivors.

Flashback to an earlier incident of similar nature: In a large
enterprise an ERT (Emergency Response Team) meeting was called to discuss the
threat as it spread and anticipation of more to come with an accidental recess.
The CXO collective gushed forth with their assessment of the widespread damage
and impact to the market, revenue, and the world at large. It gave them an
excuse for future quarterly results should the numbers not make the cut. Soon
they ran out of things to say and there was silence in the room when everyone
turned to the CIO.

The CIO stood up and gave the gathering the good and the bad news; good
news that almost 99% of the enterprise survived the attack. He paused for the
applause to subside and then continued to the bad news that the systems
impacted had critical machine data now unrecoverable and it impacted regulatory
compliance. No pin dropped to break the eerie lack of sound as the Head of Risk
and Compliance (R&C) stood up and asked the CIO to clarify the specifics of
the damage, which plant, which product, which market ?

CXOs no longer needed an excuse, the resultant impact was real and they
had a tough situation at hand considering the last audit management response
clearly stated a budget for upgrade of the impacted systems. Not too long ago
Finance had at the last minute stayed the upgrade/replacement with a view to
depict a better quarter. R&C Head was tasked to declare the news to the
Board and CEO while the CFO agreed to not hold back further budgets which even
remotely impacted any regulatory compliance.

Never let a good crisis go to waste, so said a well-known statesman
well before most of us were born or for that matter technology overtook our
lives. Our team did exactly the same; between the CIO and Head R&C, they garnered
budget required to take care of future eventualities. Rest of the CXOs used the
opportunity to justify the suboptimal performance, the company took a hit
larger than most others in the industry. Things came back to normal and life
moved on, the lessons catalogued and filed for posterity.

Less than 24 hours had passed
since the news broke of the disaster that hit far and wide; the same team
barring a few who had moved on, met again to assess the damage. This time the
news was scarier, spread wider, impact larger, and the world was unable to
contain the losses. This time faces were grim and little small talk precluded
the meeting; the CEOs presence too added to the gravity of the event. The
impact was not dissimilar to the past, it appeared that remediation sanctioned
did not change the fortunes of the company.

Livid and frustrated the CEO
wanted heads to roll; how can we make the same mistake twice ? He sensed the
fear and waited for the CIO and Head R&C to finish before seeking the
perpetrators of the current situation. No guesses for who the sword fell upon,
it was swift and no explanations were sought, none given. Money flowed to solve
the problem, lessons learned catalogued once again, the impact fortunately not
allowed to be used as an excuse for any future adverse performance by any of
the functions.

It is a rare enterprise that
imbibes learning without finding scapegoats; make yours one !

Monday, May 08, 2017

Everyone hates passwords but uses
them as a necessity to protect corporate digital assets, personal information,
and financial assets. Complexity level has increased with time and so has the
ability to crack them. This resulted in multi-factor authentication with
various means, the most popular being OTP (One Time Password) delivered to the
mobile phone as a SMS. The insecure delivery channel susceptible to MITM (Man
In The Middle) attacks poses challenges to almost all communication including
the OTP as recently discovered with SS7
vulnerability.

Appification offers alternatives
claiming higher grade secure solutions to solve the problem by consuming some
of the available solutions; adoption has been slow and efficacy dependent on
device features and action from the consumer. The slow pace of change in the
ability to rise to the security challenge has resulted in multiple breaches,
financial and reputation loss. As a result there is an attempt to raise the bar
and deploy biometric solutions as the final measure of security which is
perceived to be difficult to replicate.

In the early days of science
fiction and world of espionage the highest level of security depicted was
biometric control; starting with fingerprints to hand scan, facial patterns, voice
recognition, and finally iris scan. These were immutable and secure that saved
the protagonist or defeated the antagonist in movies. With imagination overtaking
reality, these were also compromised with recorded voice, lifted fingerprints
and face masks; real world mimics fiction in many ways and replay attacks
overcome security barriers.

Ingenuity to stupidity and
everything in between has played a role in creating the fragile walls around
physical and digital assets that need protection. Governments are capturing
biometric data for basic identity creation and management of citizen services;
enterprises capture fingerprints and more – largely for access to physical
premises and attendance recording. Within an enterprise all the data gets
replicated across servers and locations to seamlessly allow access and
convenience to employees and partners.

Enterprise security has faced
challenges with data protection and leakages – intentional or by error and
omission. Widespread use of biometric data now raises concerns for individuals
when the data is dispersed across multiple access points for authentication by
the enterprise. Should the information be compromised, the repercussions for
individuals can be far and wide. Masquerading and false identities from the
data now used with Government services leads to seriously scary scenarios for
individuals and more.

Fingerprint data is the most
commonly used form factor and we have just 10 of these unique identities available
to us. While they can be altered to some extent with cuts and or abrasions,
they cannot be changed; and therein lies the challenge for individuals who are
now being asked to provide their bio-identities across the board with no
recourse, stored, retrieved and used to verify the person. Widespread use poses
significant risk, their propagation on channels – secure or otherwise
increasing the attack surface.

What are the alternatives ? Do we
need additional factors of authorization for use of biometric data ? Do we need
federated identities which subsume other forms of identity to create better
alternatives ? Identity based cryptography and encryption has been a theoretical
solution to the problem though not much headway has been made in this direction
due to underlying complexity and the large set of identities to be provided in
the now hyper connected digital world where the need goes beyond human
identities.

Use cases explode with IoT and
other devices – all of which need unique identifiers and private keys; the resultant
solution however fails if the Private Key Generator is compromised or subject
to quantum computer attacks. M2M communication is on an exponential growth path
requiring a different level of thinking to solve the problem. Limitations of
current PKI (Public Key Infrastructure) are well known and need to be addressed
for a viable alternative to succeed and overcome the growing problem.

Coming back to biometric
authentication and authorization, it is imperative that it be used in an
encapsulated form without transmission or storage of the data. Individual
consumers too need to be educated and made aware of the fallacies of the
current structure; enterprises should review the capture and use across the
enterprise to safeguard interests of their employees. After all once the data
is compromised, there is little that a person can do with his fingerprint
identity and that is a scary place to be.

PS: Happened to meet with a
startup which claims to have solved the problem; more as I get to the bottom of
this !